Have you ever actually gone through the process of hacking a website? Join me on this wonderful ride of application security powered by the OWASP Juice Shop to demonstrate some of the top website vulnerabilities from the OWASP Top 10. In this training, we will review several different techniques used in web application testing, exploit vulnerabilities discovered manually and with tools, and finally take over the whole show just to see how it’s done. A laptop is not necessary as this exercise is meant to be interactive and entertaining. Be sure to bring your thinking cap and your best hacks.

2. Agenda
• Disclaimer
• #whoami
• OWASP
• Juice Shop
• Live Demonstration
• Attack Techniques
• Reference Material

3. Disclaimer
Any actions and or activities related to the
material contained within this Presentation
is solely your responsibility. The misuse of
the information in this presentation can
result in criminal charges brought against
the persons in question. The author will
not be held responsible in the event any
criminal charges be brought against any
individuals misusing the information in this
presentation to break the law.
Repeat after me: I will not hack without
explicit permission.

4. #whoami
• 15+ Years in Information Security
• 9+ Years at GuidePoint Security
• Technical Account Manager
• SANS Certs++, CEH
• MS Cybersecurity (USF)
• Astute public speaker at fine institutions:
• ISSA, OWASP, ISACA, ISC(2), Security B-Sides

5. • The Open Web Application Security Project® (OWASP) is a
nonprofit foundation that works to improve the security of
software.
• Community-led open source software projects
• Over 250+ local chapters worldwide
• Tens of thousands of members
• Industry-leading educational and training conferences

6. Juice Shop
OWASP Juice Shop is probably the most modern and sophisticated
insecure web application!
It can be used in security trainings, awareness demos, CTFs and as a
guinea pig for security tools!
Juice Shop encompasses vulnerabilities from the entire OWASP Top Ten
along with many other security flaws found in real-world applications!
• The OWASP Top 10 is to educate developers, designers, architects, managers, and
organizations about the consequences of the most common and most important web
application security weaknesses.

8. Cross Site Scripting (XSS)
Application Vulnerability:
• Reflected XSS: The application includes unvalidated and unescaped user input as part of HTML output
• Stored XSS: The application stores unsanitized user input that is viewed later by another user or an admin
• DOM XSS: JavaScript frameworks, single-page applications, and APIs that dynamically include attacker-controllable data to a page
How to Prevent:
• Using frameworks that automatically escape XSS by design, or escaping untrusted HTTP request data based on the context in the HTML
output
Example Attack Scenario:
The application uses untrusted data in the HTML page:
page += "<input name='search' type='TEXT' value='" + request.getParameter("search") + "'>";
The attacker modifies the 'search' parameter in the browser :
'><script>alert(document.cookie);</script>'

9. DIRB – Web content scanner
• It looks for existing (and/or hidden) Web Objects. It basically works by
launching a dictionary-based attack against a web server and analyzing the
responses.
• DIRB comes with a set of preconfigured attack wordlists for easy usage but
you can use your custom wordlists.
• DIRB’s main purpose is to help in professional web application auditing,
especially in security related testing.

10. Null-Byte Injection
Application Vulnerability:
• Null byte is a bypass technique for sending data that would be filtered otherwise
• It relies on injecting the null byte characters (%00, x00) in the supplied data
• Its role is to terminate a string
How to Prevent:
• Using frameworks that automatically escape user input by design, or escaping untrusted HTTP request data and filter all inputs
Example Attack Scenario:
An attacker wants to upload a malicious.php, but the only extension allowed is .pdf.
The attacker constructs the file name such as malicious.php%00.pdf and uploads the file.
The application reads the .pdf extension, validates the upload, and later throws out the end of the string due to the null byte. The file
malicious.php is then put in the server.

11. Insecure Direct Object Reference
Application Vulnerability:
• Type of access control vulnerability that arises when an application uses user-supplied input to access objects directly
• Many access control implementation mistakes can lead to access controls being circumvented
• Most commonly associated with horizontal privilege escalation, but they can also arise in relation to vertical privilege
escalation
How to Prevent:
• If no security controls are in place, an attacker can simply modify the user controlled value, bypassing access controls to
view the records of other customers
Example Attack Scenario:
Consider a website that uses the following URL to access the customer account page, by retrieving information from the
back-end database:
https://insecure-website.com/customer_account?customer_number=132355

12. SQL Injection
Application Vulnerability:
• User-supplied data is not validated, filtered, or sanitized by the application
• Some of the more common injections are SQL, OS command
How to Prevent:
• Preventing injection requires keeping data separate from commands and queries
• Use a safe API, which avoids the use of the interpreter entirely or provides a parameterized interface
Example Attack Scenario:
An application uses untrusted data in the construction of the following vulnerable SQL call:
String query = "SELECT * FROM accounts WHERE custID='" + request.getParameter("id") + "'";
The attacker modifies the 'id' parameter value in their browser to send: ' or '1'='1. For example:
http://example.com/app/accountView?id=' or '1'='1--

13. Reference
Material
• OWASP:
• https://owasp.org/www-project-top-ten/
• https://owasp.org/www-project-juice-shop/
• Kali Linux:
• https://www.kali.org/docs/introduction/
• https://www.kali.org/tools/dirb/

14. Thank You
jonathan.singer@guidepointsecurity.com
https://twitter.com/jonathansinger
https://www.linkedin.com/in/thejonathansinger/